Transcription

1 Global Journal of Business Management and Information Technology. Volume 1, Number 2 (2011), pp Research India Publications Queuing Algorithms Performance against Buffer Size and Attack Intensities Santosh Kumar 1, Abhinav Bhandari 2, A.L. Sangal 3 and Krishan Kumar Saluja Computer Science and Engineering, Dr. B. R. Ambedkar NIT, Jalandhar, India 4 S.B.S.C.E.T Firojpur, India Abstract Distributed Denial of Service (DDoS) attack is one of the biggest threats now days. This paper aims at providing the simulation results of buffer size and attack intensities effect on various queuing algorithms such as DropTail, Fair Queuing (FQ), Stochastic Fair Queuing (SFQ), Deficit Round Robin (DRR) and Random Early Detection (RED) using ns-2 as a simulation environment. The results in this paper indicate that Stochastic Fair Queuing is the best algorithms in terms of providing maximum bandwidth to legitimate users against various attack intensities. It is also cleared from simulation results that there is no effect of variation in buffer size on queuing algorithms such as Fair Queuing, Stochastic Fair Queuing and Deficit Round Robin while DropTail and Random Early Detection algorithms are giving the best performance on buffer size 60 against various attack intensities. This paper also covers the basic overview of Denial of Service Attack (DoS), Distributed Denial of Service attack (DDoS), attacking methods, DDoS defense approaches and Queuing Algorithms. Keywords: DDoS, Queuing algorithms, Buffer size, Attack intensities Introduction Denial of service attack is an attempt to prevent the legitimate users from accessing the network resource such as website, computer system or web service [1]. The aim of DoS attack is to send a vast number of messages to the destination so that it can be crashed, reboot or not be able to full fill the legitimate users request [2]. Distributed

2 142 Santosh Kumar et al Denial of Service attack is a coordinated Denial of Service attack that uses so many computers to launch an attack against one or many destinations [3]. To launch a coordinated attack DDoS uses many compromised systems to degrade the performance of target. The target of the Distributed Denial of Service attack is called primary victim while the compromised systems that are used to launch DDoS attack are often called secondary victims. Fig. 1 shows the architecture of DDoS attack. Thousand of attacks occur on regular basis and few of them get caught or traced. There are many types of attackers who participate in DoS attack. Sophisticated attackers are those who hide their identities by several means during the attack. Script kiddies are those who use few kinds of attacking tools available on the internet, such attacker sometimes get caught or easily traced because they left sufficient trails to trace [4]. Another type of attacker is potential attackers who use their own developed scripts or tool for attacking purpose they are smart enough to write their own code. Two types of attacks occur in the network (i) Vulnerability attack is an attack in which attackers exploits the vulnerability available in the system. (ii) Flood attack is an attack in which attackers send a vast number of messages to overwhelm the network bandwidth in terms of consuming bandwidth. There are many attacking methods such as smurf attack, ping flood, ping of death, SYN flood, teardrop attack, permanent denial of service attack, degradation of service attack and nuke are used in DoS and DDoS attack. Fig 1: Handler/Agent Architecture [2]. Some attackers are smart enough to create their own attack code, most commonly they use code written by others. Such code is typically built into a general, easily used package called an attack toolkit. It is very common today for attackers to bundle a large number of programs into a single archive file, often with scripts that automate its installation. Now days the attacking tools such as Trinoo, Tribe Flood Network (TFN), Stacheldraht, Shaft and Tribe Flood Network 2000 (TFN2K) are used as DDoS attack tool kits [5-8].

3 Queuing Algorithms Performance against Buffer Size and Attack Intensities 143 DDOS Defense Approaches The aim of DDoS defense approach is to improve the security level of a computer system or network. Few of them are explained below. Disabling unused Services If there are less application services and open ports in hosts, there will be less chance of exploiting the vulnerabilities by attackers. Therefore the best way to reduce the chances of occurring DDoS attack is to disable the services that are not in use, e.g. UDP echo, character generation services [9]. Install latest security patches Nowadays attacks are based on exploiting the vulnerability in the target system. So by installing latest security patches we can prevent the re-exploitation of vulnerabilities available in the target system [9]. Disabling IP broadcast Generally attackers use intermediate broadcasting nodes to consume the network bandwidth. Smurf and ICMP flood attacks are based on broadcasting. So defense against attack will be successful if the host computer and all intermediate nodes disable the IP broadcast [10]. Firewalls A firewall is a device that is used to protect the network from unauthorized access while permit the legitimate services to pass through it. Fire wall have some policies such as to allow or deny protocols, ports or IP addresses [11]. But some complex attack, such as attack on port 80 (web services) firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. IP Hopping In IP hopping, the IP address of active servers is proactively changed within the range of a pre-specified set of IP addresses [12]. The victim computer s IP address is invalidated by changing it with a new one. Once the IP address is change all the routers in the network is informed and edge router will drop the attacking packets. So we can prevent the attack by using the IP hopping. Drawback of this technique is that another system may be victim of attacker if it is allocated the previous IP address of active server. Ingress/Egress Filtering Ingress Filtering is a restrictive mechanism to drop any incoming packet if its IP address does not match with a domain prefix connected to the ingress router. Egress filtering ensures that the packet leaving from any network having IP address claims to that network really match within the range of IP addresses of that network [14]. First most important thing is required for Ingress/Egress filtering to have knowledge of expected IP addresses at particular port but for some networks with complicated topologies it is not easy to obtain this knowledge. Reverse path filtering

4 144 Santosh Kumar et al [15] is a technique that is used to build this knowledge. In this technique each router knows which network is accessible via which interface of that router. If coming packet at any particular interface of the router claims that its source IP address belongs to a particular network then we do cross check. Router again tries to find out whether that source address using the particular interface is accessible or not. If yes then packet is allowed to pass through that router otherwise dropped. Defense against IP spoofing It is a defense mechanism against IP spoofing based on trusted nodes and traceroute [16]. Consider a network consists of trusted nodes. Each trusted node in a network contains the access information about all other nodes such as node name and IP address, hop count and traceroute from itself to the other trusted nodes. IP spoofing is a process in which hacker sends the request to any destination node while having source address spoofed. In this method, whenever any node send the request to other node in the network for establishing the communication. The node that gets the request from any particular node first verifies that node by using traceroute whether it is trusted node or not. In traceroute method, if any node gets the request then it tries to access that IP address to check whether it is accessible or not. If the node is not accessible then receiver node of request gets message host is unreachable. In this case the receiver does not respond to that IP address. Queuing Algorithms A queuing algorithm allows us to manage access to the fixed amount of out port bandwidth by selecting which packet should be transferred and which one should be dropped when queue limit is fully occupied. There are many different queue scheduling algorithms to provide the balance between complexity, control and fairness. Congestion occurs when packets arrive at out port faster than they can be transmitted. In this case router interface become congested if just a single packet has to wait for another packet to complete its transmission. The task of queue scheduling algorithms is to minimize the congestion and to provide fair bandwidth to each of different services competing for bandwidth on the output port. It also furnishes protection between different services on output port, so that poorly behaved service in one queue can not impact the bandwidth delivered to the other services. In our simulation we are using the DropTail, Fair Queuing (FQ), Stochastic Fair Queuing (SFQ), Deficit Round Robin (DRR) and Random Early Detection (RED) available in ns-2.

5 Queuing Algorithms Performance against Buffer Size and Attack Intensities 145 Fig 2: DropTail [17]. DropTail DropTail is one of the simplest algorithms mostly used in the internet routers. It is based on first in first out (FIFO) queue [17] policy. The entire incoming packets are stored in a buffer or queue of limited size. And router serves the packets stored in queue in the same order as they were placed. Fig. 3 shows the function of DropTail algorithm. Fair Queuing Fair Queuing is an algorithm having motive to allocate fair bandwidth among different flows [10]. This algorithm maintains a separate queue for each flow and discrimination of traffic sources may be based on packet size or sending rate of source computers. These queues are served by the router in sort of round robin. Fair Queuing is based on finishing time of each packet. It calculates the finishing time of each packet residing at the head of each queue and compares this finishing time. The packet having shortest time is transmitted first.

6 146 Santosh Kumar et al Fig 3: fair queuing example: (a) packet with shortest finishing times transmitted first; (b) already sending packet completed first [17]. Consider an example of Fair Queuing algorithm shown in the Fig. 3. Router discriminates the incoming traffic into different flows, Flow 1 and Flow 2. And the arriving packets are stored into the flow in which they belong. In Fig 3 (a), flow 1 stores two packets one having the finishing time F=8 and another one having 5 and flow 2 stores one packet having finishing time F=10.The finishing time of packet residing at the head of each queue is compared. The packet with finishing time F=8 of flow 1 is compared with the packet with finishing time F=10 of flow 2 and packet with finishing time F=8 is transmitted first because it is shortest finishing time. After fully transmission of packet having finishing time F=8, again it compares packet of flow 1 with packet of flow 2 and finds that packet having finishing time F=5 is shortest so it is transmitted first and then the packet having finishing time F=10 of flow 2 is transmitted. In Fig 3 (b), the packet of flow 2 having finishing time F=10 is being transmitted and a packet in flow 1 arrives having finishing time F=2 but transmission of the packet of flow 2 is not halted and after completion of this transmission it will send the packet with finishing time F=2. Stochastic Fair Queuing Stochastic Fair Queuing is an implementation of Fair Queuing. Stochastic Fair Queuing uses a hash algorithm to divide the traffic over a limited number of queues [17]. Due to the hashing in SFQ multiple sessions might end up into the same bucket. SFQ changes its hashing algorithm so that any two colliding sessions will only work for a small number of seconds.

7 Queuing Algorithms Performance against Buffer Size and Attack Intensities 147 Deficit Round Robin Deficit Round Robin uses three parameters, weight, DeficitCounter and quantum [18]. Weight decides percentage of output port must be allocated to the queue. DeficitCounter decides whether a queue is permitted to send data packet or not. Quantum is proportional to the weight of a queue and also represented in terms of bytes [19]. Function of Deficit Round Robin is shown in figure 4. Fig 4: Deficit Round Robin [19]. Random Early Detection The objective of Random Early Detection (RED) algorithm is to fairly distribute the effect of congestion among all traffic sources competing for the bandwidth by random dropping the packet from the queue. To avoid the congestion, packet is early dropped when the congestion is imminent. To achieve these objectives, it monitors the average queue size to find out whether it lies between some minimum threshold value and maximum threshold value. If it is true then the arriving packet is marked or dropped with some probability that is increasing function of average queue size. All the arriving packets are dropped when the variable does not lie between minimum and maximum threshold values. Simulations for Studying the Effect of Attack Intensities and Buffer Size on Various Queuing Algorithms Fig. 5 shows the simulation structure for checking the performance of different queuing algorithms. Node 0, node 1, node 2, node 3, node 4, node 5 and node 6 represent the legitimate TCP user, legitimate UDP user, attacker1, attacker2, attacker3, router and receiver respectively. All the links between nodes have 1Mbps

8 148 Santosh Kumar et al bandwidth and propagation delay of 100ms. These nodes send data packets to receiver and packets first stored on router (node 5) and then forwarded. Each router in internet maintains queues to store data packets and the size of queue may vary. Attackers are using UDP type flood attack. Here we are going to study the effect of variation in attack intensities and buffer size on different queuing algorithms. Suppose there is 1Mbps link between any particular router and destination node. Entire incoming packets at router are capable of 1.3Mbps. Router can transfer only 1Mbps of data at a time all other data capable of 0.3Mbps or 30% of data will be dropped by router and also known as 30% attack intensity. Table 1 shows the details of simulation parameters. Fig 5: Simulation structure Table 1: Simulation Parameters Number of Nodes 7 Link bandwidth between Nodes 1Mbps Propagation Delay 100ms Simulation Time 50 seconds Attack intensity s range 20% to 60% Buffer size effect on DropTail Figure 6 (a), 6 (b) and 6 (c) show the effect of buffer size on DropTail algorithm against 20%, 60% and 120% attack intensities respectively.

10 150 Santosh Kumar et al Figure 6 (a) shows that on increasing the buffer size gradually from 20 to 60, there is no much effect on bandwidth obtained by legitimate UDP user but bandwidth obtained by legitimate TCP user is gradually increasing. And during the buffer size from 60 to 80, bandwidth obtained by TCP user is gradually decreasing. Figure 6 (b) shows that there is no effect on legitimate UDP user but legitimate TCP user is getting maximum bandwidth while having buffer size 60. Figure 6 (c) also shows that there is no much effect on legitimate TCP user but legitimate UDP user is getting maximum bandwidth while having buffer size 60. Now the conclusion is that DropTail performance is best when buffer size is 60 against various attack intensities. Buffer size effect on Random Early Detection Figure 7 (a), 7 (b) and 7 (c) show the effect of buffer size on SFQ algorithm against 20%, 60% and 120% attack intensities respectively. Figure 7 (a) shows that there is no effect of buffer size on legitimate TCP user and legitimate UDP user gets the maximum bandwidth when buffer size is greater than or equal to 60. Figure 7 (b) shows that legitimate user is getting maximum bandwidth when buffer size is 60. While there is a constant effect on legitimate TCP user during the variation in buffer size from 20 to 60. Legitimate TCP user is getting less bandwidth while having buffer size greater than 60. Figure 7 (c) shows that legitimate UDP user is getting constant bandwidth during buffer size from 40 to 100. Now the conclusion is that RED algorithm is giving the best performance in case of buffer size is equal to 60. Buffer size effect on FQ, SFQ, DRR algorithms From various simulation studies it is clear that there is a constant effect of buffer size on queuing algorithms FQ, SFQ and DRR against 20%, 60% and 120% attack intensities. Fig 7 (a): Buffer size effect on RED against 20% attack intensity

11 Queuing Algorithms Performance against Buffer Size and Attack Intensities 151 Fig 7 (b): Buffer size effect on RED against 60% attack intensity DropTail Performance against attack intensities In this section we are going to check the performance of DropTail algorithm on queue limit 80 against different attack intensities. Fig. 8 shows the performance of DropTail algorithm. It is clear from the graph that on increasing the attack intensity, bandwidth obtained by legitimate TCP and UDP users are gradually decreasing. Fig 7 (c): Buffer size effect on RED against 120% attack intensity

12 152 Santosh Kumar et al Fig. 8 DropTail performance Fair Queuing Performance against attack intensities Fig. 9 shows the performance of Fair Queuing algorithm. From the graph it is clear that bandwidths obtained by legitimate users are decreasing when attack intensity is increasing from 20% to 40%. And there is a constant effect of attack intensities varying from 40% to 140%. Stochastic Fair Queuing Performance against attack intensities Fig. 11 shows the performance of Stochastic Fair Queuing algorithm. Graph shows a constant effect of attack intensities on legitimate TCP and UDP users. Deficit Round Robin Performance against attack intensities Fig. 11 shows the performance of Deficit Round Robin algorithm. It shows that on increasing the attack intensity bandwidth obtained by legitimate TCP user is gradually decreasing while there is a constant effect on bandwidth obtained by UDP user during attack intensity varying from 40% to 140%. Fig. 9 Fair Queuing performance

14 154 Santosh Kumar et al Fig. 12: Random Early Detection performance Performance comparison of Queuing Algorithms Fig. 13(a) and Fig. 13 (b) show the comparison of bandwidth obtained by legitimate TCP and UDP users on different queuing algorithms against different attack intensities. According to Fig. 13(a) legitimate TCP user is getting maximum throughputs in case of Stochastic Fair Queuing algorithm. Fig. 13(b) shows that legitimate UDP user is getting maximum bandwidth 75% in case of Deficit Round Robin. But in case of Deficit Round Robin legitimate TCP user is getting bandwidth 33%. So if we consider throughputs of TCP user then it is not good enough but if we consider only for UDP user then Deficit Round Robin is best algorithm. Fair Queuing algorithm is the second best algorithm to provide the maximum bandwidth to the legitimate UDP users. It is providing 70% bandwidth to legitimate UDP user and 50% to legitimate TCP user. While Stochastic Fair Queuing algorithm is providing 85% throughputs to legitimate TCP user and 55% to legitimate UDP user. So finally, Stochastic Fair Queuing algorithm is best algorithm among all algorithms in case of providing satisfactory bandwidth to the legitimate users in case of having both legitimate TCP and UDP users in network. And second best algorithm is Fair Queuing algorithm.

15 Queuing Algorithms Performance against Buffer Size and Attack Intensities 155 Fig. 13 (a) comparison of throughputs of TCP user on different queuing algorithms Fig. 13 (b) comparison of throughputs of UDP user on different queuing algorithms Conclusion We have explained some basic overview of DDoS, attacking methods; DDoS attack tool kits and DDoS prevention mechanisms. We also discussed the various queuing algorithms. Mainly we focused on buffer size s effect and attack intensities effect on various queuing algorithms. Simulation result shows that DropTail and Random Early Detection (RED) algorithms are giving the best performance in case of buffer size that is 60. While there is no effect on FQ, SFQ and DRR algorithms against variation in buffer size. We also found that Stochastic Fair Queuing is the best algorithm against attack intensities in terms of providing maximum bandwidth to the legitimate users. The results indicate that we must set buffer size 60 in case of DropTail and RED algorithms.

Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics

Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service

Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:avut001@ec.auckland.ac.nz Abstract Denial of Service is a well known term in network security world as

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method

Gaurav Gupta CMSC 681 Abstract A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing Denial of Service for users of the

Denial of Service Attacks Notes derived from Michael R. Grimaila s originals Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident

Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks Document ID: 13634 Contents Introduction Understanding the Basics of DDoS Attacks Characteristics of Common Programs Used to Facilitate

TECHNICAL NOTE 06/02 RESPONSE TO DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACKS 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor

Distributed Denial of Service Attacks Detection And Mitigation techniques INSTITUTE FOR DEVELOPMENT AND RESEARCH IN BANKING TECHNOLOGY August 6, 2014 Authored by: Er. Ragini Chauhan IIIT Kerala ragini.mscis1@iiitmk.ac.in

Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001

IJCSNS International Journal of Computer Science and Network Security, VOL.7 No.7, July 2007 167 Design and Development of Proactive Models for Mitigating Denial-of-Service and Distributed Denial-of-Service

Modern Denial of Service Protection What is a Denial of Service Attack? A Denial of Service (DoS) attack is generally defined as a network-based attack that disables one or more resources, such as a network

Available online at www.ijiere.com International Journal of Innovative and Emerging Research in Engineering e-issn: 2394-3343 p-issn: 2394-5494 Survey on DDoS in Cloud Environment Kirtesh Agrawal and Nikita

D A T E I P R I T #42 Tackling etwork DoS on Transit etworks David Harmelin DATE I PRIT is a track record of papers and articles published by, or on behalf of DATE. HTML and Postscript versions are available

1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources:

ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of

INTRODUCTION OF DDOS ALGORITHMS: A SURVEY S.Nagarjun Siddhant College of Engineering, Pune Abstract The noteworthiness of the DDOS issue and the expanded event, complexity and quality of assaults has prompted

SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,

Denial-of-Service Shrew Attacks Bhuvana Mahalingam mbhuvana@cs.bu.edu 1. Introduction A Denial of Service Attack is defined as An incident in which a user or organization is deprived of the services of

Mitigation of DDoS Attack using a Probabilistic Approach & End System based Strategy A thesis submitted in partial fulfillment of the requirements for the degree of Master of Technology in Computer Science

Network Security - DDoS What is computer network security and why is important Types and Strategies of DDoS Attacks DDoS Attack Prevention Conclusion What is Network Security Network Security is a huge

Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without

Abstract Distributed Denial of Service (DDOS) attacks have become a large problem for users of computer system connected to the internet. DDOS attackers hijack secondary victim systems using them to launch

system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

Distributed Denial of Service Attack Tools Introduction: Distributed Denial of Service Attack Tools Internet Security Systems (ISS) has identified a number of distributed denial of service tools readily

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest

W H I T E P A P E R Denial of Service (DoS) attacks on computers and infrastructure communications systems have been reported for a number of years, but the accelerated deployment of Voice over IP (VoIP)

Security Event Trust and Confidence in a Fast and Mobile Environment, July 2004 Denial of Service Attacks: Classification and Response Christos Douligeris, Aikaterini Mitrokotsa Department of, University

WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for

A Defense Framework for Flooding-based DDoS Attacks by Yonghua You A thesis submitted to the School of Computing in conformity with the requirements for the degree of Master of Science Queen s University

2009 International Symposium on Computing, Communication, and Control (ISCCC 2009) Proc.of CSIT vol.1 (2011) (2011) IACSIT Press, Singapore Analysis of IP Network for different Quality of Service Ajith

International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise